Get root access to all NSX components

The topics “How do I get root access to the different NSX components” or “How can I find the root password” comes up quite often. For some components it’s already widely documented (for example NSX Manager) and for other components it’s rarely described (for example the NSX controllers). I also haven’t yet found a complete overview of how to get root access to the underlying Linux layer on all components. So I thought I’d put this information together here for the NSX versions 6.3 and 6.4.

But first a word of warning:
VMware does not support accessing and executing commands on the PhotonOS based Linux subsystem as root user. Since some Linux commands can damage or destroy the entire NSX environment I would only recommend the following steps for educational purpose and in non-production environments.

And another clue:
By default, the root user is not available for remote logins. This is forbidden in the sshd_config file. Therefore you have to login as “admin” user via SSH first and then access the linux console mode with “root” privileges.

Let’s start with the simplest:

NSX Manager

How to get root access to the Linux shell on the NSX Manager is even officially documented by VMware (but still not really supported): https://kb.vmware.com/s/article/2149630

In short:

  • Login as “admin” user via SSH
  • Switch to enable mode with the command “en” and enter the “enable” password
  • Type the following command for accessing the engineering mode:
    st e
    
  • Type “y” on your keyboard
  • Enter the following password:
    IAmOnThePhoneWithTechSupport
    

That’s it. You have entered the linux subsystem as root now.

NSX Manager Root Access

You will need that access level for getting access as root user to all other components. Because the root passwords are automatically generated during deployment and you have to read them on the Linux shell of the NSX Manager.

NSX controller

To switch to the root user on any controller node, we first need the root password for the specific controller. As already mentioned, the NSX Manager automatically generates this password when deploying the controller and saves the password in its database. So we have to query it there first. Luckily, there is a bash script on the NSX Manager for this.

But one step at a time.

  • Get root on the NSX Manager (see above)
  • Look for the controller id in the “Networking & Security” Tab in the vSphere (Web) client under the controller deployment section (Networking & Security > Installation & Upgrade > Management > NSX Controller Nodes).
    NSX Controller ID
  • Execute the following command in the Linux shell of the NSX Manager:
    /home/secureall/secureall/sem/WEB-INF/classes/GetNvpApiPassword.sh controller-NN
    

    (Replace “controller-NN” with the correct controller id. For example: controller-12)

    In the last line you will find the root password for this controller node:

    NSX Controller Root Password

  • Now, login as “admin” via SSH on the controller
  • Type the following command:
    : debug os-shell
    

    (Please note there is a colon and space before “debug”.)

  • Enter the root password which was displayed on the NSX Manager shell

NSX Controller Root Access

Distributed Logical Router (DLR) / Edge Services Gateway (ESG)

There is no difference between ESG and DLR as far as root access is concerned. It’s the same for both components. But since Edge Gateways are mostly exposed and connected to the internet it is a bit more complicated to get root access there.

  • Also here we first need the generated root password from the NSX Manager and for this we need the ESG or DLR id. This ID can be found in the vSphere (Web) Client under “Networking & Security” > “NSX Edges” in the first column of the displayed list (“Id”).
  • Once we know the ID, we can execute the following command in the Linux shell of the NSX Manager:
    /home/secureall/secureall/sem/WEB-INF/classes/GetSpockEdgePassword.sh edge-NN
    

    (Please change “edge-NN” to the correct edge id.)

    NSX Edge Root Password

  • Now, you have to login with the admin user in the local console (web console or VMRC) for activating the engineering mode. It can’t be enabled in a remote session.
  • Switch to enable mode with the command “en” and enter the admin password
  • And activate the engineering mode with the following command:
    debug engineeringmode enable
    

    NSX Edge Engineering Mode

  • After the engineer mode was enabled in a local console, you can login via SSH with the admin user
  • Switch to enable mode with the command “en” and enter the admin password
  • Finally you can get root with the following command:
    st e
    
  • Enter the root password for the Edge Gateway or Distributed Logical Router

NSX Edge Root Access

Guest Introspection Appliances

  • Enter the Linux console of the NSX Manager as root user (see first section)
  • Run the following command to obtain the root password of the GI-SVM(s):
    /home/secureall/secureall/sem/WEB-INF/classes/GetEpsecAppliancePassword.sh
    

    GI-SVM Root Password

  • After that you can log on as root user in a local console (web console or VMRC).
    NSX GISVM Login
    NSX GISVM Root Access

That’s it. You are now root on every NSX component.

 

Leave a Reply

Your email address will not be published. Required fields are marked *